How the second chip allows hackers to circumvent the process of verifying a bank card

Original author: Panda Security
  • Transfer


When you selected or changed PIN-codes for your credit card and cell phone, you did everything right: you avoided the temptation to use the year of your birth, while choosing different codes for the card and phone. However, these precautions can be useless if a cybercriminal intercepted your credit card at a point of sale.

The standard verification process for payments with debit or credit cards requires a card with an integrated chip and a PIN code. However, a group of researchers from École Normale Supérieure (ENS) in Paris recently published a report in which they explained how a group of hackers found a way around this system and managed to steal 600,000 euros from hacked cards. Fortunately, the good news is that they were arrested shortly after.

A group of hackers stole 40 credit cards, which supposedly should have been useless in the hands of criminals if they did not know the PIN codes of these cards. However, the criminals turned out to be “not easy to sew” and modified the cards by adding a second chip inside the cards, which was impossible to notice when looking at the card.



When the card was placed in the payment terminal (POS terminal), they used the EMV vulnerability and carried out a man-in-the-middle attack , which allowed them to intercept communications between the card and the system.

At this point, a second chip entered the game, which allowed hackers to complete the transaction using any PIN code . This method turned out to be so simple that they used it more than 7000 times.

Despite the fact that, according to the researchers, these vulnerabilities were fixed and the fraudsters were arrested, this case showed the importance of contacting your bank in the event of a wallet theft or loss of your bank card.

Moreover, modifying a card is not the only way that criminals can use to “clean up” you if the card is in their hands. Ross Anderson, a professor of security engineering at the University of Cambridge, has been investigating for many years how hackers can gain control of a credit card, and recently summed up his research by pointing out open opportunities for cyber criminals.

Some of the methods that cyber criminals could use include copying card information from a POS terminal to a third party, transferring chip information and a card PIN to the magnetic strip of another card, or even manipulating the POS terminal to intercept the card during a transaction and sending information to a cell phone.

So what can users do now, what do they know about these vulnerabilities? In fact, there is not much they can do, because most of these scams exploit the disadvantages of standard POS terminals. This means that bank card manufacturers and banks themselves must ensure that transactions are as safe as possible.

Among the recommendations, the following can be noted: use a bank card to pay only at those retail outlets that you trust, do not keep all your savings in the same account, periodically check the status of your accounts to make sure that there are no suspicious transactions.



Knowing about credit card vulnerabilities can also help us choose other alternatives, such as cards with fingerprint scanners. This method of protection allows you to seriously protect yourself from cyber criminals.

Over the past year, MasterCard introduced the first card with a fingerprint scanner, made in collaboration with the Norwegian startup Zwipe. We have also witnessed major credit card manufacturers claiming they will experiment with face recognition technology for online orders.

Such a development of technologies can contribute to the rejection of traditional passwords in the next few years, which could be a solution to problems with the vulnerabilities of chips and PIN-codes of cards. At the same time, the best thing to do now is to be aware of the risks that we may face when using bank cards.

Also popular now: